You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We currently have a rule that checks if the redirections are properly implemented and activate HSTS. The rule is that a request to plaintext www.example.com must be redirected to encrypted www.example.com before it goes anywhere else. However, this rule creates false positives in the case when there is a redirection to the parent host with includeSubDomains enabled.
The text was updated successfully, but these errors were encountered:
Policy preloaded
Excellent. This host is covered by a preloaded HSTS policy.
Preloaded host: whonix.org; includeSubDomains=true
Therefore it seems the following error is a false-positive:
Redirection from HTTP to HTTPS not to the same host
When HSTS is used, the plaintext port should redirect to the HTTPS variant of the same hostname. This approach ensures that HSTS is enabled on that hostname, even if later the client is sent elsewhere. A redirection to another host is only safe if it is for a parent host that has HSTS with includeSubDomains enabled, but that's not the case here.
Starting point: http://whonix.org
We currently have a rule that checks if the redirections are properly implemented and activate HSTS. The rule is that a request to plaintext www.example.com must be redirected to encrypted www.example.com before it goes anywhere else. However, this rule creates false positives in the case when there is a redirection to the parent host with includeSubDomains enabled.
The text was updated successfully, but these errors were encountered: